In a move sure to spark controversy, the U.S. State Department has issued regulations on electronic passports, mandating that all U.S. passports be embedded with 64K RFID chips bearing the passport holder’s photo and personal data. The technology will begin appearing in passports issued to government employees in a pilot program beginning in December 2005, then be issued to American travelers in early 2006. By October 2006, virtually all U.S. passports will be required to have embedded RFID technology.
So-called “electronic passports” are already being issued by Sweden, but the technology opens up a host of potential privacy and security concerns, mostly centered around skimming and eavesdropping. Skimming refers to creating an unauthorized connection to an RFID tag to read its information, while eavesdropping refers to intercepting data transferred between RFID tag and a reader during an authorized connection. The State Department says the new passports will have shielding in their front covers and back plates to prevent skimming; the shielding should reduce the effective range of the RFID tag to around 10 centimeters when the passports are closed or mostly closed. The passports will also use Basic Access Control in the form of a PIN number printed on a passport’s data page: that number will be used to encrypt data communication between the RFID chip and the reader, helping protect the data while in transit.
The RFID chips in the passport comply with the ISO 14443 RFID specification, and will contain the same data printed on the passport’s data sheet: the bearer’s name, nationality, sex, birthdate, and place of birth, along with a digitized photo. The chips also comply with specifications developed by the International Civil Aviation Organization, the UN agency which developed standards for electronic passports to ensure compatibility between different countries; the ICAO’s specification includes the use of a public key infrastructure